We are dedicated to renewing America by continuing the quest to realize our nation's highest ideals, honestly confronting the challenges caused by rapid technological and social change, and seizing the opportunities those changes create.

Beyond the Worst-Case Assumptions on China’s Cybersecurity Law

There's still an internal tug-of-war over cross-border data flows

Blog Post

Oct. 13, 2017

On June 1, China’s
new Cybersecurity Law went into effect. Before and since there has been intense
discussion in international business circles and governments about what that
means in practice. In the United States especially, there has been a tendency
toward reading the law and related documents in “worst case scenario,” fueling
concerns that China’s emerging digital governance regime will systematically
disadvantage outside firms and champion domestic tech giants. For example, a September
25 filing
by the U.S. Government with a World Trade Organization body reflected a dire
interpretation of some of China’s ambiguous language.

However, a close
look at what Chinese officials are actually saying suggests healthy debate
within the Chinese system. While business groups have been lobbying intensely
on specific provisions, often responding to early drafts, the Chinese
government is still in the process of developing and issuing the regulations,
standards, measures, and guidelines that operationalize the new law’s
requirements. Not only is that process subject to international pressure (U.S.,
European, and other international interests continue to seek delays or even the
scrapping of some particularly controversial provisions), it is increasingly
clear that there remains a keen debate among Chinese interests on these issues.
An important government office said as much late last month. Following the U.S.
filing at the WTO, China’s Ministry of Public Security (MPS) Third Research
Institute, which researches cybersecurity technologies and policies, issued
both a Chinese translation of the U.S. letter and a short response in a WeChat post.

This response
should not be taken lightly. It sends a clear message that while some interests
and voices in China’s policy discussion favor uncompromising interpretations of
China’s data protection measures that would significantly disadvantage global
firms, other voices, especially those concerned with Chinese companies’ global
expansion plans, see downsides in heavy restrictions on cross-border data
transfers.

The rest of this
post explores some of the nuances of the ongoing discussion with particular
reference to what Chinese policy makers and thinkers are saying about it.

Chinese officials
have responded through a variety of channels, calling in foreign information
and communication technology (ICT) companies, trade groups, and in some cases
embassy officials, for lengthy sessions where Chinese officials, typically from
the Cyberspace Administration of China (CAC), present clarifications about
particular regulations and take comments, oral and written, from concerned
groups.

These CAC efforts
to hear and be heard have not been totally successful. Or at least, it is
evident that they have not been enough for the U.S. government. In the September
25 WTO filing, the U.S. government noted that although it “has been
communicating these concerns directly to high-level officials and relevant
authorities in China,” it nonetheless requested that China delay issuing final
language or implementing measures related to one specific and complex
issue—cross-border transfers of data—until its concerns are addressed. Based on
Chinese drafts released for comment, the U.S. filing argued, “The impact of the
measures would fall disproportionately on foreign service suppliers operating
in China, as these suppliers must routinely transfer data back to headquarters
and other affiliates.” In effect, the U.S. government, like so many other
concerned parties, faced the uncertainty of an evolving and burdensome regime
and has argued for a halt using rhetoric based on worst-case assumptions.

What the U.S. and
broader international conversation has missed, however, is that the uncertainty
about China’s emerging digital governance regime is not limited to foreign
capitals and boardrooms. Indeed, debate and disagreement about how to interpret
and implement the key provisions of the Cybersecurity Law thrives within China.

Of course, acknowledging
differing views doesn’t mean international firms shouldn’t be concerned; the
evolution of this regulatory regime produces tremendous regulatory and
political uncertainty in ICT sectors, and that can be costly on its own. Any
outcome is likely to pose new challenges for international firms eyeing the
Chinese market.

But the live
debate within China suggests that the eventual regulatory environment may not
be as bleak as worst-case assessments would suggest. Understanding the contours
of that debate is a precondition for interested parties to make more effective
advocacy and for everyone to better understand the road ahead.

What is driving the concern over China’s new Cybersecurity
Law and why does Beijing want a data protection regime with Chinese
characteristics?

While there are numerous areas of concern for
foreign ICT businesses and their governments, the recent U.S. filing at the WTO
provides a good case study. It is primarily concerned with two important
regulations, associated with China’s Cybersecurity Law, relating to
cross-border data transfers. They are:

For Short

Full Name

Issuer

The "Measures"

Personal Information and Important Data Cross Border Transfer Security Evaluation Measures (draft for comment) [English] 个人信息和重要数据出境安全评估办法（征求意见稿）[Chinese] (NB: These links point to a published April version; industry sources say two additional versions were quietly circulated—in May and August.)

Like any thorough
digital-era data protection regime, China’s emerging rules requires different
protection practices for different types of data. Unlike some data protection
regimes, however, documents such as these, if implemented, would require that
certain types of data be stored in China and that special rules be followed
before transferring certain types of data abroad. If fully implemented,
operators of the broad category of “critical information infrastructure” would
be required to undergo security reviews to assess both any risks associated
with transferring the data concerned and whether the recipient of the data has
sufficient protections in place.

These reviews are
not comparable with requirements under international regimes such as the
voluntary APEC Cross-Border Privacy Rules (CBPR) or EU’s General Data
Protection Regulation (GDPR). Passing one of these Chinese reviews for outbound
data transfer is linked not merely to personal privacy or raw data security,
but also to “national security” and broader, more ambiguous concerns like “the
people’s livelihood” (Cybersecurity Law Article 31) or “economic development
and social and public interests” (in the “Guidelines” referenced below).

Still, the two
documents take on a challenge that many governments face and that the U.S.
government hasn’t yet approached
in a holistic way. They put forward a rules-based system that attempts to
balance company responsibility with government mandates, recognizing that
business and technological realities require allowing certain types of data to
be transferred outside of China. The result so far positions China between the
stricter provisions of the GDPR in Europe and the more voluntary and less
stringent requirements of the APEC CBPR.

The U.S. filing
with the WTO argues that “Many less burdensome options exist to achieve privacy
objectives, including” CPBR. But conversations with Chinese policymakers
suggest that CAC views this suggestion as a continuation by other means of
efforts in the failed Trans-Pacific Partnership (TPP) to spread U.S.-preferred
digital economy trade provisions—principles that many in China see as outdated
and insufficient to address a country’s data protection needs. European
regulators behind the stricter GDPR appear to agree that the generally more
laissez-faire U.S. approach does not meet the challenge. Given that
international “best practices” are incomplete at best, a leading CAC data
expert noted: “Why would China not proceed from
its own interests, and make an independent choice?” Even apart from any
differing views on the policy goals of a data protection regime, the inadequacy
of already existing international regimes explains why China’s government is
unlikely to simply adopt something already out there—and why trade groups and
governments asking China to scrap or halt implementation of the Measures are
unlikely to succeed. Even if broader international regimes are to emerge in the
future, it is unrealistic to expect China’s government not to cement its
preferences before the inevitable years of negotiation.

Why a terse Chinese government response to a U.S. filing
matters

The early Chinese comment on the U.S. WTO filing, expressed on an official social media account but not apparently reported in state media, goes on for only three short paragraphs, the last two of which are translated here. The final two sentences in bold below are crucial:

With the release of Personal Information and Important Data Cross Border Transfer Security Evaluation Measures (draft for comment) (个人信息和重要数据出境安全评估办法（征求意见稿) and Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment (draft) (信息安全技术数据出境安全评估指南 (草案)) and other documents and standards, the original principles, provisions, and clauses of the Cybersecurity Law are being gradually clarified. The aforementioned draft underwent revision, adjustment, and improvement between the first and second drafts, responding in part to the main concerns of domestic and foreign enterprises. Some of these organizations’ requirements already influenced the law, for example in the amount of data required for assessment, the period of time data must be retained, etc. But the controversy and compromise has not yet been resolved, which will continue to test the technological and coordinating capabilities of the legislature.

Although the Cybersecurity Law already has formally taken effect, it is foreseeable that various stakeholders in the game will persist in the tendency to make interpretations.

These two sentences underscore that there are balancing forces in the Chinese system, forces that represent different approaches and interests. They suggest a lack of unanimity within and among the bureaucracies that will ultimately be responsible for enforcing the Measures and reporting to senior authorities on how enforcement affects multinationals operating in China. They underline that Chinese businesses, not just foreign ones, have expressed concerns. And they make explicit that interpreting the Cybersecurity Law and the eventual final Measures will continue to be necessary, numerous regulatory authorities will take on new responsibilities, and it will take time for clarity to emerge for businesses. This process of interpretation will almost surely include a prolonged period of negotiation among authorities and stakeholders, as the operational costs of the strictest interpretations may not be immediately clear to regulators.

Hence, the Chinese
response to the WTO letter should not be dismissed. It signals important
internal debate within China’s political system over how to develop, implement,
and enforce China’s emerging data protection regime.

Competing Voices

Some of this
internal debate can be observed in public sources, yet a textured understanding
of the competing voices is missing from much of the U.S. public conversation.
Key players in China think that cutting off cross-border data flows will hurt
the country’s global economic goals. From national tech champions like Alibaba
seeking global markets, to Chinese financial institutions facilitating global
transactions, cross-border data flows are a core operational reality.

Key policy
thinkers, not just businesses or foreign governments, are conscious of the
dilemma. Dr. Hong Yanqing is an example of an authoritative figure who has
written about the importance of “balancing development with security.” Hong is
research director at the Internet Development Research Institute at Peking
University, leads the personal data protection project for TC260, and is deputy
head of the task force for the Guidelines. He writes: “A fundamental consensus has
emerged today that data naturally flows across national borders, that data
flows produce value, and that data flows can lead to flows of technology,
capital, and talent. Therefore, data flows are the norm, and circumstances
where flows are limited are the exception. This is well reflected in the
Measures.” However, critically, Hong notes that “data has become a national
basic strategic resource.” This means the Chinese government believes that data
is on par with other natural resources such as oil and gas, and requires a
protection system that provides the government with insight into what types of
data are flowing across borders. Beijing’s approach therefore is more expansive
than that of the European Union, which views data protection primarily through
the lens of user privacy.

Chinese companies
with global aspirations are also concerned about how China’s evolving approach
to cross-border data transfer will affect their operations. E-commerce giant
Alibaba in particular is attuned to the provisions of the Cybersecurity Law
related to data flows. The company headquarters has been quiet on the issue,
but one of its prominent think tanks, the Ali Data Center for Economic Research
advocated for the “free
flow of information and data to drive the Internet and global economy,” and
argued that obstructions would create problems for Chinese Internet companies
overseas. The article’s authors cite statistics saying that in 2015 Alibaba had
21.24 million cross-border export orders in over 200 countries and regions, and
30 million Chinese consumers bought imported goods. Burdensome data transfer
regimes could undermine Alibaba and other Chinese tech leaders like Baidu and
Tencent as they develop cloud services, artificial intelligence research and
development centers, and consumer-facing services around the world.

How responsive is Beijing to these voices?

Already, some quietly circulated revisions to the rules related to cross-border data transfer reflect more nuance in how the Chinese government is approaching the issue than the dire warnings of the U.S. WTO filing would suggest. To be sure, the rules remain vague and provide ample room for political whim by Beijing to limit market access, if it chooses to do so. But the Chinese government has demonstrated a degree of responsiveness to foreign and domestic industry concerns that should be recognized.

In April, the CAC met significant backlash from both foreign and domestic industry when it released the first draft of the Measures. Article 2 of the Measures mandated that all personal information and “important data” needed to be localized in mainland China. This marked a significant expansion from the scope of the Cybersecurity Law. Article 37 of the law is more narrow: It requires only personal information and other important data gathered or produced by entities designated as operators of critical information infrastructure to be stored within China. The outcry over the change led the CAC to walk back this stipulation in a second draft of the Measures circulated in May. In addition, in that draft, CAC moved the effective compliance date for the Measures to December 31, 2018, from June 1, 2017.

In August, the Chinese government made some small tweaks to the rules in a third draft (circulated within parties affected by provisions in the Measures but not yet released to the public). Changes included eliminating the threshold of 1,000 GB of data as a trigger for regulatory assessment, and an addition regarding implied consent for personal information. Going forward, it will be important to watch the rules and standards associated with securing “critical information infrastructure.”

Calibrating the right U.S. policy Response

At this formative
moment, when China’s evolving approach to the critical issue of cross-border
data flows is still in flux and Chinese cloud services and payments operations are expanding overseas, it would be a missed opportunity to disregard the locus of
active debate in favor of worst-case assumptions. The U.S. government seems to
have committed for the moment to a more confrontational approach to bilateral
trade with China, and that could interfere with U.S. advocacy on other issues.

An ongoing U.S.
Trade Representative investigation into China’s
industrial policies and trade practices will necessarily complicate efforts to
continue industry input into China’s evolving approach to data protection and
its cross-border data regime development. With the near certainty that the
investigation will end in a finding that Chinese practices are unacceptable,
U.S. countermeasures could tighten the room for maneuver across many
issues—including cross-border data transfers. International advocates for a
more pragmatic and open regime for data flows, therefore, should be especially
conscious of where the debate within China remains alive.

The importance of
the data flows issue for the future of global trade will remain a salient
issue, and there appears to be a glaring lack of a suitable forum within which
to discuss these issues bilaterally between the United States and China, or
multilaterally with the EU. With the demise of TPP, multilateral trade regimes
that do not include major players such as China appear to have reached a dead
end for the time being. In the meantime, the Track 2 environment could provide
much-needed space to explore critical emerging digital economy issues in a
manner diverse economies could support. Even as governments verge on
confrontational trade diplomacy, stakeholders will be best served by devoting
careful attention to the ways different countries are meeting the new and
evolving challenges of formulating digital policy, and by searching for
approaches that allow for pragmatic interoperability online, rather than an
unrealistic one-size-fits-all solution.